SecurityWeek reports that Amazon Web Services has issued updates to resolve an Amazon Relational Database Service vulnerability, which could be exploited to allow internal credential leaks.
The Amazon RDS flaw was discovered by Lightspin researcher Gafnit Amiga within the Aurora PostgreSQL engine's "log_fdw" extension, which enables SQL interface usage for database engine log access and foreign table creation. Threat actors could leverage the flaw to evade log_fdw extension validation to access files with internal credentials and other system files, according to Amiga, who reported the flaw last December. However, AWS stressed that the credentials exposed could not be leveraged to impact other customers or clusters. "No cross-customer or cross-cluster access was possible; however, highly privileged local database users who could exercise this issue could potentially have gained additional access to data hosted in their cluster or read files within the operating system of the underlying host running their database," said AWS.
Modern integrated graphics processing units, including those manufactured by AMD, Arm, Apple, Intel, Qualcomm, and Nvidia, could be targeted to expose sensitive data through the new GPU.zip side-channel attack, which exploits graphical data compression, The Hacker News reports.
CyberScoop reports that millions of files that may have sensitive information have been exposed by 314,000 internet-connected devices and servers with open directory listings, indicating potential significant exploitation.
BleepingComputer reports that several U.S. financial institutions and numerous cryptocurrency apps are having their users mostly targeted by an expanded Xenomorph malware campaign leveraging an updated version of the Android banking trojan that also set sights on users in Canada, Italy, Spain, Belgium, and Portugal.